locked
Associating Existing Membership DB with ACS RRS feed

  • Question

  • The ability of ACS that can connect to multiple identity provider is cool!

    But if I have current membership database, is it possible to associate those member in my DB to have ability to perform SSO, so that they can sign-in using FB, GoogleID, LiveID, Facebook ID.

    If yes, where do we store those "association rules"?

    Great if somebody can provide me links / hands-on-lab how to achieve it since I didn't find it in WAPTK.

    Monday, May 23, 2011 6:28 AM

Answers

All replies

  • You cannot connect a membership DB to ACS.

    You would need a security token service that can authenticate users using membership and then send a token to ACS (http://startersts.codeplex.com e.g.).

    This security token service would be registered as an identity provider in ACS (like google, live id etc).


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Monday, May 23, 2011 11:24 AM
  • Thanks Dominick for the answer.

    I've visited the startests and the screencast, however there's no any info that how to achieve the associated SSO scenario I was talking about. Something like https://www.smalser.com/wordpress/wp-login.php


    Appreciate if you can provide me some info / link how to achieve that.
    Tuesday, May 24, 2011 3:38 PM
  • In that case you need to explain what you exactly try to accomplish.


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Tuesday, May 24, 2011 5:50 PM
  • Assuming I have my own membership database that contains thousands of users. Typically, when the user logs in using their username and password that they registered in advanced. Is there any possibility where I can associate their username with their Identity Providers ID (Google ID / Facebook ID / Live ID) (of course they will need to provide them in advanced), then when they are logged in into their own Identity Provider ID, they will be automatically logged in into my app.

    Actually somewhat similar to https://www.smalser.com/wordpress/wp-login.php

    Wednesday, May 25, 2011 12:28 AM
  • Thursday, May 26, 2011 8:48 AM
  • Hi Daniell,

    > Actually somewhat similar to https://www.smalser.com/wordpress/wp-login.php

    The given page is using the ACS WordPress Plugin. So your requirement is the user can log in to your site using either username, passwor or Google ID, Facebook Id and Live ID? Or you want to associate the existing user with a Google ID, Facebook ID and Live ID?

    Please check http://acs.codeplex.com/ to see if there is one sample fits your need.

    Thanks,


    Wengchao Zeng
    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
    Thursday, May 26, 2011 9:36 AM
  • Let say I have membership database that consists of user's basic info (username, password, dob, etc.)

    I can add some more field for them to store their: google id, live id, yahoo id, facebook account.

    Once they are stored, my requirement is: is it possible that when they've successfully logged in to (one of any identity provider), my app will automatically sign-in.

    I am not sure whether we can achieve that using ACS. That's why I ask this here.

    Friday, May 27, 2011 2:05 PM
  • You can absolutely do that - but that logic must happen inside you application.

    The user would e.g. log on first using the "native" account - and the associate this account with a web identity provider (via a ACS sign-in).


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Friday, May 27, 2011 2:13 PM
  • I think there are two related scenarios that require very similar interaction with ACS:

    1. A brand new user that wants to use external identity provider when registering

    2. An existing user that wants to start using an external identity provider

    This is how I was thinking about approaching these scenarios:

    For #1, the new registration page would prompt to authenticate using ACS. Then I would have ACS redirect the user back to a page to continue the registration process. From here, I would pick up the nameidentifier claim that came from ACS, and then store this in a user table, along with name, email address, and whatever other information that I want the registrant to provide during registration.

    For #2, I would have a special page that links the identity from a third-party identity provider (through ACS) to the current user. It would prompt the user to authenticate using ACS. I would have ACS redirect to page that takes the nameidentifier claim and then store it in the user table for the logged in user.

     

    The one question that I have is how do you have ACS redirect back to three different URLs under different circumstances (1. Regular login, 2. New user registration, 3. Linking identity to existing user) for the same relying party application? Is it possible to do this?

     

    • Marked as answer by Wenchao Zeng Tuesday, May 31, 2011 2:28 AM
    Friday, May 27, 2011 8:04 PM
  • hi dominick,

    wondering if you can provide some more concrete guide in form of links / blogs / etc for achieving the idea you mentioned.

    I am still a bit blur on this

    Saturday, May 28, 2011 2:44 PM
  • Besides the links i already gave you? no.

    But it is very similar to the blog post i wrote.


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Saturday, May 28, 2011 7:00 PM